direct enable mode acess with the Help of ACS

Unanswered Question
Jul 8th, 2009
User Badges:

Dear All, I am trying to setup a group which has priv 15 access & they should see enable mode after authentication via ACS, they should not be asked for enable password. How ca I do this, I am unable to do so. I tried it but its not working. What I need is ACS should assign priv level 15 to configured users. I dont want to use Shell commands set.

Same thing I need for ASA firewall as well..

Is there any way to achive this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 07/08/2009 - 10:16
User Badges:
  • Red, 2250 points or more

For IOS devices,


Router(config)# username [username] password [password]

tacacs-server host [ip]

tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated



On ACS


Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field



This feature is not supported on ASA/firewalls.


Regards,

~JG


Do rate helpful posts

jain.nitin Wed, 07/08/2009 - 10:30
User Badges:

I tried this but it didnt work for me see my config below on deivces

aaa new-model

aaa group server tacacs+ bwaaa

server 10.2.6.1

server 10.2.6.2

ip tacacs source-interface Vlan1111

!

aaa authentication login aaa-list group bwaaa local

aaa authentication enable default group bwaaa enable

aaa authorization exec aaa-list group bwaaa local

aaa accounting exec aaa-list start-stop group bwaaa

aaa accounting commands 1 aaa-list start-stop group bwaaa

aaa accounting commands 15 aaa-list start-stop group bwaaa

aaa accounting system default start-stop group bwaaa

Jagdeep Gambhir Wed, 07/08/2009 - 12:03
User Badges:
  • Red, 2250 points or more

First try with simple vanilla config


tacacs-server key [key]

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated


If still issue is there get the debugs then



debug aaa authentication

debug aaa authorization

debug tacacs


Regards,

~JG


jain.nitin Thu, 07/09/2009 - 11:15
User Badges:

Hi, Thanks it worlked with default list but it is not working with my defined list..I dont know whats the reason behind that..do you have any idea

Actions

This Discussion